File name:

Eye_Saver-setup-2.48.exe

Full analysis: https://app.any.run/tasks/876a5b9a-d6e2-4cd6-9c6c-25f14818ea61
Verdict: Malicious activity
Analysis date: January 23, 2024, 08:44:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1117FB07571F6DD0E55D4DBF1F0CE908

SHA1:

0ABD501EC96A0994CEADDD0D1299749027648F14

SHA256:

30B56B9AA2CABDE21A9B4A898D4299A7BBCA6235FB5C0EE9939D938CDB20E6B6

SSDEEP:

98304:l02dVzUS+0oNhXdTkXq4BLDXiBPEKPnixdN9d1DUHRHsLkw+OOuaHiVP4iw7o344:9zjfp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Eye_Saver-setup-2.48.exe (PID: 1036)
      • Eye_Saver-setup-2.48.exe (PID: 980)
      • Eye_Saver-setup-2.48.tmp (PID: 2260)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Eye_Saver-setup-2.48.exe (PID: 1036)
      • Eye_Saver-setup-2.48.exe (PID: 980)
      • Eye_Saver-setup-2.48.tmp (PID: 2260)

    • Uses TASKKILL.EXE to kill process

      • Eye_Saver-setup-2.48.tmp (PID: 2260)

    • Reads the Windows owner or organization settings

      • Eye_Saver-setup-2.48.tmp (PID: 2260)

    • Reads the Internet Settings

      • Eye_Saver-setup-2.48.tmp (PID: 2260)
      • Eye Saver.exe (PID: 3984)

    • Process drops legitimate windows executable

      • Eye_Saver-setup-2.48.tmp (PID: 2260)

    • Reads Internet Explorer settings

      • Eye Saver.exe (PID: 3984)

    • Checks Windows Trust Settings

      • Eye Saver.exe (PID: 3984)

    • Reads security settings of Internet Explorer

      • Eye Saver.exe (PID: 3984)

    • Reads settings of System Certificates

      • Eye Saver.exe (PID: 3984)

    • Reads Microsoft Outlook installation path

      • Eye Saver.exe (PID: 3984)

  • INFO

    • Checks supported languages

      • Eye_Saver-setup-2.48.exe (PID: 1036)
      • Eye_Saver-setup-2.48.exe (PID: 980)
      • Eye_Saver-setup-2.48.tmp (PID: 2404)
      • Eye Saver.exe (PID: 3984)
      • Eye_Saver-setup-2.48.tmp (PID: 2260)

    • Create files in a temporary directory

      • Eye_Saver-setup-2.48.exe (PID: 980)
      • Eye_Saver-setup-2.48.exe (PID: 1036)
      • Eye_Saver-setup-2.48.tmp (PID: 2260)

    • Reads the computer name

      • Eye_Saver-setup-2.48.tmp (PID: 2404)
      • Eye_Saver-setup-2.48.tmp (PID: 2260)
      • Eye Saver.exe (PID: 3984)

    • Reads the machine GUID from the registry

      • Eye_Saver-setup-2.48.tmp (PID: 2260)
      • Eye Saver.exe (PID: 3984)

    • Creates files or folders in the user directory

      • Eye_Saver-setup-2.48.tmp (PID: 2260)
      • Eye Saver.exe (PID: 3984)

    • Creates files in the program directory

      • Eye_Saver-setup-2.48.tmp (PID: 2260)
      • Eye Saver.exe (PID: 3984)

    • Checks proxy server information

      • Eye_Saver-setup-2.48.tmp (PID: 2260)
      • Eye Saver.exe (PID: 3984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (45.2)
.dll | Win32 Dynamic Link Library (generic) (20.9)
.exe | Win32 Executable (generic) (14.3)
.exe | Win16/32 Executable Delphi generic (6.6)
.exe | Generic Win/DOS Executable (6.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:06:14 15:27:46+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 66560
InitializedDataSize: 53760
UninitializedDataSize: -
EntryPoint: 0x1181c
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Leosoft ltd.
FileDescription: Eye Saver Setup
FileVersion:
LegalCopyright:
ProductName: Eye Saver
ProductVersion: 2.48
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start eye_saver-setup-2.48.exe eye_saver-setup-2.48.tmp no specs eye_saver-setup-2.48.exe eye_saver-setup-2.48.tmp taskkill.exe no specs eye saver.exe

Process information

PID
CMD
Path
Indicators
Parent process
980"C:\Users\admin\AppData\Local\Temp\Eye_Saver-setup-2.48.exe" /SPAWNWND=$1600E6 /NOTIFYWND=$8010A C:\Users\admin\AppData\Local\Temp\Eye_Saver-setup-2.48.exe
Eye_Saver-setup-2.48.tmp
User:
admin
Company:
Leosoft ltd.
Integrity Level:
HIGH
Description:
Eye Saver Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\eye_saver-setup-2.48.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1036"C:\Users\admin\AppData\Local\Temp\Eye_Saver-setup-2.48.exe" C:\Users\admin\AppData\Local\Temp\Eye_Saver-setup-2.48.exe
explorer.exe
User:
admin
Company:
Leosoft ltd.
Integrity Level:
MEDIUM
Description:
Eye Saver Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\eye_saver-setup-2.48.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2260"C:\Users\admin\AppData\Local\Temp\is-AU3NV.tmp\Eye_Saver-setup-2.48.tmp" /SL5="$120128,3134541,121344,C:\Users\admin\AppData\Local\Temp\Eye_Saver-setup-2.48.exe" /SPAWNWND=$1600E6 /NOTIFYWND=$8010A C:\Users\admin\AppData\Local\Temp\is-AU3NV.tmp\Eye_Saver-setup-2.48.tmp
Eye_Saver-setup-2.48.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-au3nv.tmp\eye_saver-setup-2.48.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2404"C:\Users\admin\AppData\Local\Temp\is-VOBLF.tmp\Eye_Saver-setup-2.48.tmp" /SL5="$8010A,3134541,121344,C:\Users\admin\AppData\Local\Temp\Eye_Saver-setup-2.48.exe" C:\Users\admin\AppData\Local\Temp\is-VOBLF.tmp\Eye_Saver-setup-2.48.tmpEye_Saver-setup-2.48.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-voblf.tmp\eye_saver-setup-2.48.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2452"taskkill.exe" /f /t /im "Eye Saver.exe"C:\Windows\System32\taskkill.exeEye_Saver-setup-2.48.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
3984"C:\Program Files\Eye Saver\Eye Saver.exe" --askrestartC:\Program Files\Eye Saver\Eye Saver.exe
Eye_Saver-setup-2.48.tmp
User:
admin
Company:
Leosoft
Integrity Level:
MEDIUM
Description:
Eye Saver
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\eye saver\eye saver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
5 167
Read events
5 096
Write events
65
Delete events
6

Modification events

(PID) Process:(2260) Eye_Saver-setup-2.48.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2260) Eye_Saver-setup-2.48.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2260) Eye_Saver-setup-2.48.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2260) Eye_Saver-setup-2.48.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2260) Eye_Saver-setup-2.48.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2260) Eye_Saver-setup-2.48.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2260) Eye_Saver-setup-2.48.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2260) Eye_Saver-setup-2.48.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3984) Eye Saver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(3984) Eye Saver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
12
Suspicious files
4
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
1036Eye_Saver-setup-2.48.exeC:\Users\admin\AppData\Local\Temp\is-VOBLF.tmp\Eye_Saver-setup-2.48.tmpexecutable
MD5:34ACC2BDB45A9C436181426828C4CB49
SHA256:9C81817ACD4982632D8C7F1DF3898FCA1477577738184265D735F49FC5480F07
2260Eye_Saver-setup-2.48.tmpC:\Program Files\Eye Saver\unins000.exeexecutable
MD5:57B84FAD59F380D600E8DA86475C5787
SHA256:CB8C2397060D07A8A2E8758AFABC5D08289899B67A25EA732485467F526FF865
2260Eye_Saver-setup-2.48.tmpC:\Program Files\Eye Saver\is-HMAJJ.tmpexecutable
MD5:B3B4E9441545161C660A5B5C5A40FCA0
SHA256:D7C62D836B5421FC95B55E6AA28063A6112D0B7EE7ED0A6DE6A4266CD05DED0B
2260Eye_Saver-setup-2.48.tmpC:\Users\admin\AppData\Local\Temp\is-AJJ81.tmp\NDP452-KB2901954-Web.exeexecutable
MD5:CA41DBA55A727F01104871B160CD5B1D
SHA256:BD173D14A371E6786C4AE90BE1F2C560458D672BA4CBEB3CF55BEBFEF2E2778A
980Eye_Saver-setup-2.48.exeC:\Users\admin\AppData\Local\Temp\is-AU3NV.tmp\Eye_Saver-setup-2.48.tmpexecutable
MD5:34ACC2BDB45A9C436181426828C4CB49
SHA256:9C81817ACD4982632D8C7F1DF3898FCA1477577738184265D735F49FC5480F07
2260Eye_Saver-setup-2.48.tmpC:\Program Files\Eye Saver\Eye Saver.exeexecutable
MD5:B3B4E9441545161C660A5B5C5A40FCA0
SHA256:D7C62D836B5421FC95B55E6AA28063A6112D0B7EE7ED0A6DE6A4266CD05DED0B
2260Eye_Saver-setup-2.48.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\PCRBXNFN.txttext
MD5:BAFA940AC6DE5B4ABD74BBB53D9F4649
SHA256:B4292C5B5D690D15367040E58E21CC6AB6CF7FDF9C65B6F2B071F55C7E23317C
2260Eye_Saver-setup-2.48.tmpC:\ProgramData\Eye Saver\bin\is-NB4HV.tmpexecutable
MD5:7511403E6437FA65DDFF805E8B7BB2A1
SHA256:2D76811AD4F6535432815EB8C9B9FC046DF1252C3F91FF9CEE1A891B159E4668
2260Eye_Saver-setup-2.48.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eye Saver\Eye Saver on the Web.urltext
MD5:C548BA0DFE709D9B3BA0FCF193CAF550
SHA256:05B294ABDD28604DBFDBA72990ED496FA7C653C76B4DA8BBC5224DDB89CEEFE5
2260Eye_Saver-setup-2.48.tmpC:\Program Files\Eye Saver\images\uninstall-warning.bmpimage
MD5:52C4610B5D05D01E80D8E12474FF98BC
SHA256:C6AADA6E9C7A49A4D8EF776975107FD512061B3CFAE5EFC068930B445AAE2018
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2260
Eye_Saver-setup-2.48.tmp
GET
200
188.114.96.3:80
http://www.eye-saver.net/latestversion.txt?3648621774951168
unknown
text
4 b
unknown
3984
Eye Saver.exe
GET
200
188.114.96.3:80
http://www.eye-saver.net/timezone?cid=VOL1-C4BA3647&countryCode=&versionMajor=2&versionMinor=48&ie=11&os=Windows+7&anticache=qhxqr4ic5ghk
unknown
html
8.65 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2260
Eye_Saver-setup-2.48.tmp
188.114.96.3:80
www.eye-saver.net
CLOUDFLARENET
NL
unknown
3984
Eye Saver.exe
188.114.96.3:80
www.eye-saver.net
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
www.eye-saver.net
  • 188.114.96.3
  • 188.114.97.3
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Eye_Saver-setup-2.48.exe